CVE-2026-25138: Rucio WebUI has Username Enumeration via Login Error Message
(updated )
The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.
References
- cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
- github.com/advisories/GHSA-38wq-6q2w-hcf9
- github.com/rucio/rucio
- github.com/rucio/rucio/releases/tag/35.8.3
- github.com/rucio/rucio/releases/tag/38.5.4
- github.com/rucio/rucio/releases/tag/39.3.1
- github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9
- nvd.nist.gov/vuln/detail/CVE-2026-25138
Code Behaviors & Features
Detect and mitigate CVE-2026-25138 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →